ELC 200 Day23
advertisement
ELC 200 Day 23 ELECTRONIC COMMERCE From Vision to Fulfillment Third Edition Elias M. Awad © 2007 Prentice-Hall, Inc 12-1 Agenda • Assignment 7 Grades posted – 9 A’s, 6’s and 1 C’s and 1 MIA • Assignment 8 Posted – Due Monday, April 21 @ 3:35 Pm • ECommerce Initiative Frameworks – Guidelines – Due MAY 7 @ 10 AM • Finish discussion on eSecurity and the USA Patriot Act and Start Discussion on Encryption © 2007 Prentice-Hall, Inc 12-2 End of days? (subject to change) • April 17 & 21 – Finish Chap 13 eSecurity and the USA Patriot Act – Chap 14 Encryption – Assignment 8 Due April 21 • April 24 & 28 – Chap 15 getting the money – Optional Assignment 9 • Due May 1 • May 1 – Quiz 4 – Chapters 12 16 – 20 M/C and 4 short essay • May 7 @ 10 AM – eCommerce frameworks due – Student presentations • 5 Mins! © 2007 Prentice-Hall, Inc 12-3 E-Security and the USA Patriot Act ELECTRONIC COMMERCE From Vision to Fulfillment Third Edition Elias M. Awad © 2007 Prentice-Hall, Inc 12-4 Ethics Assignment 7 Equal Credit Opportunity Act The Equal Credit Opportunity Act guarantees equal opportunity to all customers of credit card companies, banks, loan and finance companies, retail stores and credit unions. Discrimination on the basis of race, color, sex, religion, national origin, marital status, age (provided the consumer has the capacity to enter into a binding contract), receipt of public assistance or the fact that the consumer has in good faith exercised any right under the Consumer Credit Protection Act is strictly prohibited. The following summarizes some of the key protections under the Act: •In general, creditors cannot ask you for your race, sex, or national origin, nor can they use these factors when deciding whether to give you a loan or other credit. However, if you apply for a mortgage, the lender is required to ask you about these facts. Your answers may be used to help enforce laws against discrimination. Even so, you aren't required to give this information. •You're entitled to your own credit history - in your individual name - even if you are married. This can be important if you should ever need credit on your own. However, if you share credit with your spouse, you will share your partner's credit record as well. •If you apply for unsecured credit on your own, your marital status is off-limits. •You don't have to tell a creditor you're divorced or you're receiving support payments. However, a lender has a legitimate interest in your ability to repay your debts. Therefore, you may have to disclose any alimony, maintenance or child support you're obligated to pay. You must also list any support payments you receive if you want them to be counted as income on your application. •As long as you're old enough to sign a legal contract, your age can't be used against you. •A creditor cannot discriminate against you if you receive public assistance. However, a creditor can verify any income you list on a credit application. © 2007 Prentice-Hall, Inc 12-5 The Virus: Computer Enemy Number One • Most serious attack on a client computer or a server in an Internet environment is the virus • A virus is a malicious code that replicates itself and can be used to disrupt the information infrastructure • Viruses commonly compromise system integrity, circumvent security capabilities, and cause adverse operation by taking advantage of the information system of the network © 2007 Prentice-Hall, Inc 12-6 Types of Viruses • File virus is one that attacks executable files • Boot virus attacks the boot sectors of the hard drive and diskettes • Macro virus exploits the macro commands in software applications such as Microsoft Word © 2007 Prentice-Hall, Inc 12-7 Levels of Virus Damage © 2007 Prentice-Hall, Inc 12-8 Steps for Antivirus Strategy • Establish a set of simple enforceable rules for others to follow • Educate and train users on how to check for viruses on a disk • Inform users of the existing and potential threats to the company’s systems and the sensitivity of information they contain • Periodically update the latest antivirus software © 2007 Prentice-Hall, Inc 12-9 Getting Rid of Viruses • Get a good Virus Projection Software – Free (not Recommended) • Anti-Vir • Avast • AVG – Not Free • Norton AntiVirus • MacAfee – Free for UMFK students and staff • http://www.umfk.maine.edu/it/antivirus/ • Update definition files often © 2007 Prentice-Hall, Inc 12-10 Spyware • • • • • Software that sits on your computer – Monitors everything that you do and sends out reports to Marketing agencies – Usually tied to a POP-UP or AD server Top Spyware – I-Look Up – CoolWebSearch – N-CASE – GATOR – DoubleClick If you have ever loaded up ICQ Loaded on your PC you have Spyware If you have ever had KAZAA loaded on your PC you have Spyware If you have loaded Quicken or TurboTax you have Spyware – C-Dilla © 2007 Prentice-Hall, Inc 12-11 Spyware infestation. Taken by Brandon Waddell. © 2007 Prentice-Hall, Inc 12-12 Spyware and Adware • Spyware is software the user unknowingly installs through an e-mail attachment or downloading an infected file that could be used for illicit reasons • Adware is software that sneaks into a user’s hard disk installed by Internet advertising companies to promote pop-up ads and release information for advertisers on the outside © 2007 Prentice-Hall, Inc 12-13 Spyware Solutions • Enforce strict user Web policies on surfing and downloading activities • Install a desktop firewall on every laptop and desktop http://www.zonelabs.com • Do not give users administrator privileges • Configure an e-mail gateway to block all executable e-mail attachments • Ensure desktop antivirus software signatures are up to date © 2007 Prentice-Hall, Inc 12-14 Spyware Solutions (Cont’d) • Use commercial antispyware software to detect and remove existing spyware program - http://www.spybot.com – Keeping Your PC Spyware Free.pdf • Enforce the usage of higher security settings in Internet browsers to prevent sites that cause spyware infection • Use pop-up blockers that lead to Web sites low trustworthiness • Educate your employees and staff about spyware threats be creating an active out-reach with groups and organizations, including the Consortium of Anti-Spyware Technology (COAST) © 2007 Prentice-Hall, Inc 12-15 Compliance Legislation • The Gramm-Leach-Billey Act – Protects personal data • The VISA USA Cardholder Information Security Program – Personal data must be encrypted • The Sarbanes-Oxley Act – Executives must vouch for effectiveness of controls • The Basel II Capital Accords – Internal accord specifying cash and risk reporting © 2007 Prentice-Hall, Inc 12-16 Steps to Prevent E-Commerce Fraud • Be aware of corporate critical assets and who might be after the assets • Investigate common attacks and electronic-fraud schemes that could be used against the company’s critical assets • Install strong encryption such as public key infrastructure (PKI) • Develop a program for evidence collection (called forensics) via committed investigators © 2007 Prentice-Hall, Inc 12-17 Steps to Prevent E-Commerce Fraud (Cont’d) • Ensure maintenance of strong and reliable transaction, network, and Internet service provider logs • Conduct penetration testing to judge the integrity of existing security • Investigate the availability of cyber-fraud insurance to provide coverage for potential losses © 2007 Prentice-Hall, Inc 12-18 Security Protection and Recovery • Install proper firewall(s) to protect data • Ensure that your network is configured properly • Protect your most sensitive data through encryption • Maintain and update all antivirus programs on your PC or terminal • Restrict access to your files by “need to know’ • Assign unique IDs to authorized personnel and track all IDs on a daily basis • Ensure that your system administrators have contemporary security skills • Enforce and update company information security policy and inform employees of any changes in policy © 2007 Prentice-Hall, Inc 12-19 Firewalls and Security • Firewalls can be used to protect a corporation’s network in a number of ways – Protect against authenticated log-ins – Block all unsecured access to the internal network – Separate groups within an organization • Firewalls ensure – Data integrity – Authentication – Confidentiality © 2007 Prentice-Hall, Inc 12-20 Firewall Design and Implementation Issues • Design Issues – Policy – Level of monitoring and control the organization wants – Financial and administrative – Whether the company wants internal firewalls installed • Firewall Design features – Security policy – Deny policy – Filtering ability – Scalability – Authentication – Recognizing dangerous services – Effective audit logs © 2007 Prentice-Hall, Inc 12-21 Corporate Networks and Firewalls © 2007 Prentice-Hall, Inc 12-22 How Firewalls Work • Firewall check Packets in and out of Networks – Decide which packets go through and which don’t – Work in both directions – Only one part of Security © 2007 Prentice-Hall, Inc 12-23 Firewalls Attack Prevention System Attack Message Hardened Client PC Firewall Attack Message X Hardened Server With Permissions Internet Stops Most Attack Messages Attacker Corporate Network © 2007 Prentice-Hall, Inc 12-24 How Personal Firewalls work • Software version of a standard Hardware firewall • Controls packets in and out of one PC in much the same way as a Hardware Firewall does © 2007 Prentice-Hall, Inc 12-25 Privativate Lines CSU/DSU ROUTER Internet CSU/DSU ROUTER VPN Concentratror CSU/DSU ROUTER VPN Concentratror CSU/DSU ROUTER Router Load balancer Router Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server CSU/DSU ROUTER Load balancer CSU/DSU ROUTER Switch Firewall Load balancer Server Server CSU/DSU ROUTER Msg Server Farm Firewall Firewall CSU/DSU ROUTER Load balancer Firewall switch Switch Switch Firewall Switch Minicomputer Firewall Minicomputer Disk array Server Server Server Server Minicomputer Server Server Server Server Server Server Server Server Server Server Minicomputer Server Server Server Server Server Server Server Server Server ServerServer Server Server Switch Switch Switch Web Server farm © 2007 Prentice-Hall, Inc Switch Disk array Server Switch Application Server farm Switch 12-26 DB SERVER FARM Cycle of Recovery from Attack • Attack detection and vulnerability assessment • Damage assessment <> evidence collection • Correction and recovery • Vigilance and corrective feedback © 2007 Prentice-Hall, Inc 12-27 Biometric Security • Biometrics is the science and technology of quantifying and statistically scrutinizing biological data • Biometrics enhance authentication • Biometric devices ensure that the person who encrypts data is the only one who can decrypt and has access to the data • Applying biometric technology on a smart card also would increase the level of confidence in the security • When considering biometric technologies for future use, management does need to implement a cost-effective system appropriate for their particular circumstance © 2007 Prentice-Hall, Inc 12-28 Types of Biometrics and Select Application Areas © 2007 Prentice-Hall, Inc 12-29 Types of Biometrics and Select Application Areas (Cont’d) © 2007 Prentice-Hall, Inc 12-30 Terrorism How Modern Terrorism Uses the Internet • • • • • • • • • • • • • • • • • • • • • • http://www.state.gov/s/ct/rls/fs/37191.htm Abu Nidal Organization (ANO) Abu Sayyaf Group Al-Aqsa Martyrs Brigade Ansar al-Islam Armed Islamic Group (GIA) Asbat al-Ansar Aum Shinrikyo Basque Fatherland and Liberty (ETA) Communist Party of the Philippines/New People's Army (CPP/NPA) Continuity Irish Republican Army Gama’a al-Islamiyya (Islamic Group) HAMAS (Islamic Resistance Movement) Harakat ul-Mujahidin (HUM) Hizballah (Party of God) Islamic Jihad Group Islamic Movement of Uzbekistan (IMU) Jaish-e-Mohammed (JEM) (Army of Mohammed) Jemaah Islamiya organization (JI) al-Jihad (Egyptian Islamic Jihad) Kahane Chai (Kach) Kongra-Gel (KGK, formerly Kurdistan Workers' Party, PKK, KADEK • • • • • • • • • • • • • • • • • • • • • © 2007 Prentice-Hall, Inc Lashkar-e Tayyiba (LT) (Army of the Righteous) Lashkar i Jhangvi Liberation Tigers of Tamil Eelam (LTTE) Libyan Islamic Fighting Group (LIFG) Moroccan Islamic Combatant Group (GICM) Mujahedin-e Khalq Organization (MEK) National Liberation Army (ELN) Palestine Liberation Front (PLF) Palestinian Islamic Jihad (PIJ) Popular Front for the Liberation of Palestine (PFLF) PFLP-General Command (PFLP-GC) al-Qa’ida Real IRA Revolutionary Armed Forces of Colombia (FARC) Revolutionary Nuclei (formerly ELA) Revolutionary Organization 17 November Revolutionary People’s Liberation Party/Front (DHKP/C) Salafist Group for Call and Combat (GSPC) Shining Path (Sendero Luminoso, SL) Tanzim Qa'idat al-Jihad fi Bilad al-Rafidayn (QJBR) (al-Qaida in Iraq) (formerly Jama'at alTawhid wa'al-Jihad, JTJ, al-Zarqawi Network) United Self-Defense Forces of Colombia (AUC) 12-31 National Strategy to Secure Cyberspace The National Strategy to Secure Cyberspace articulates five national priorities including: I. A National Cyberspace Security Response System; II. A National Cyberspace Security Threat and Vulnerability Reduction Program; III. A National Cyberspace Security Awareness and Training Program; IV. Securing Governments’ Cyberspace; V. National Security and International Cyberspace Security Cooperation. cyberspace_strategy.pdf © 2007 Prentice-Hall, Inc 12-32 USA Patriot Act • • • • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 Enacted Oct, 2001 and was to last for 4 years USA Patriot Act Improvement And Reauthorization Act Of 2005 – Signed March 2006 ACLU repsonse – Expands terrorism laws to include “domestic terrorism” which could subject political organizations to surveillance, wiretapping, harassment, and criminal action for political advocacy. – Expands the ability of law enforcement to conduct secret searches, gives them wide powers of phone and Internet surveillance, and access to highly personal medical, financial, mental health, and student records with minimal judicial oversight. – Allows FBI Agents to investigate American citizens for criminal matters without probable cause of crime if they say it is for “intelligence purposes.” – Permits non-citizens to be jailed based on mere suspicion and to be denied re-admission to the US for engaging in free speech. Suspects convicted of no crime may be detained indefinitely in six month increments without meaningful judicial review. © 2007 Prentice-Hall, Inc 12-33 Implications for Management • The Internet is becoming an increasingly filtered channel of communication • Information security continues to be deemphasized or ignored by management at all levels of the organization • Changes in the identification of threats, the growing advancement of technologies, and the identification of new threats continue to shift the organizational security focus • Any serious profile should begin with a valid security policy, which is then translated into an effective security plan with a focus on prevention, detection, and ©correction of threats 2007 Prentice-Hall, Inc 12-34 Encryption: A Matter of Trust ELECTRONIC COMMERCE From Vision to Fulfillment Third Edition Elias M. Awad © 2007 Prentice-Hall, Inc 12-35 The focus of this chapter is on several learning objectives • Understanding the basic algorithm used in encryption • Issues in public-key cryptography • Tools used for authentication and trust • Brief coverage of the main Internet security protocols and standards • Implications and future of encryption in ecommerce © 2007 Prentice-Hall, Inc 12-36 What Is Encryption? • A way to transform a message so that only the sender and recipient can read, see, or understand it • Plaintext (cleartext): the message that is being protected • Encrypt (encipher): transform a plaintext into ciphertext • Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message • Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines – Plaintext + key = Ciphertext – Ciphertext – key = Plaintext © 2007 Prentice-Hall, Inc 12-37 Symmetric Key Encryption Symmetric Key Message Encryption Method & “Hello” Key Encrypted Message Interceptor Network Party A Party B Encryption uses a non-secret encryption method and a secret key © 2007 Prentice-Hall, Inc 12-38 Simple example (encrypt) • Every letter is converted to a two digit number – A=1, Z = 26 – ANTHONY 01 14 20 08 15 14 25 – Produce any 4 digit key 3654 – Add together in blocks of 4 digits – 0114 + 3654 = 3768 – 2008 + 3654 = 5662 – 1514 + 3654 = 5168 – 2500 + 3654 = 6154 (pad with 00 to make even) • Send 3768566251686154 to fellow Spy © 2007 Prentice-Hall, Inc 12-39 Simple example (Decrypt) • Received 3768566251686154 from fellow Spy – Break down in 4 digits • 3768 5662 5168 6154 – Get right Key 3654 – Subtract key from blocks of 4 digits – 3768 - 3654 = 114 – 5662 - 3654 = 2008 – 5168 - 3654 = 1514 – 6154 - 3654 = 2500 – If result is negative add 10000 • Break down to 2 digits and decode – 01 = A, 14 =N, 20 = T, 08 = H • BuckRogers.xls © 2007 Prentice-Hall, Inc 12-40 Public-Key Infrastructure (PKI) • Creates the ability to authenticate users, maintain privacy, ensure data integrity, and process transactions without the risk of repudiation • PKI satisfies four security needs – Authentication - identifies or verifies that the senders of messages are, in fact, who they claim to be – Integrity - verifies that neither the purchase amount not the goods bought are changed or lost during transmission – Nonrepudiation - prevents sender and vendor in a transaction of communication activity from later falsely denying that the transaction occurred – Privacy - shields communications from unauthorized viewing or access © 2007 Prentice-Hall, Inc 12-41 Basic Encryption Algorithm • Both sender and receiver have to know the rules used to transform the original message or transaction into its coded form • A set of rules for encoding and decoding messages is called a cipher (or cyper) • A message can be decrypted only if the decryption key matches the encryption key • A 6-bit key allows for only 64 possible numeric combinations(26) • The standard 56-bit DES encryption code can be cracked on a high-speed computer in a few hours • 100 bit key has 2100 possible keys © 2007 Prentice-Hall, Inc 12-42 Classes of Algorithms • Secret-key (symmetric) encryption: encryption system in which sender and receiver possess the same key; the key used to encrypt a message also can be used to decrypt it • Stream cipher: a symmetric algorithm that encrypts a single bit of plaintext at a time • Block cipher: a symmetric algorithm that encrypts a number of bits as a single unit • Public-key (asymmetric) encryption: encoding/decoding using two mathematically related keys or key-pairs; one public key and one private key • Key-pairs can be used in two ways: – To provide message confidentiality – To prove the authenticity of the message originator © 2007 Prentice-Hall, Inc 12-43 Message Confidentiality Using a Key-Pair © 2007 Prentice-Hall, Inc 12-44 Public Key Encryption Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Encrypted Message Decrypt with Party B’s Private Key Note: Four keys are used to encrypt and decrypt in both directions Decrypt with Party A’s Private Key Encrypted Message © 2007 Prentice-Hall, Inc Party B Encrypt with Party A’s Public Key 12-45 Common Cryptosystems • RSA Algorithm is the most commonly used public-key algorithm, although it is vulnerable to attack • Data Encryption Standards (DES) is a popular secret-key encryption system; the first to be widely adopted commercially • Triple DES (3DES) is a stronger version of DES that uses three 56-bit keys to encrypt each block of plaintext • RC4 is a variable-length cipher widely used on the Internet as a bulk encryption cipher in SSL protocol • IDEA is a strong encryption algorithm using a 128-bit key to encrypt 64-bit blocks; resistant to brute-force attack © 2007 Prentice-Hall, Inc 12-46 Major Attacks on Cryptosystems • Chosen-plaintext attack • Known-plaintext attack • Ciphertext-only attack • Third-party attack © 2007 Prentice-Hall, Inc 12-47 Authentication and Trust • Digital Signature is a special signature for signing electronic correspondence, produced by encrypting the message digest with the sender’s private key • Authentication is verifying that a message or document, in fact, comes from the claimed sender • Hash function is a formula that converts a message of a given length into a string of digits called a message digest • Cryptographic hash functions are generally used to construct the message digest © 2007 Prentice-Hall, Inc 12-48 The Digital Signature Process © 2007 Prentice-Hall, Inc 12-49 Digital Certificates • Digital certificates are the heart of secure online transactions • A digital certificate is a software program that can be installed in a browser • Your digital certificate identifies you to Web sites equipped to check it automatically • Digital certificate is an electronic document issued by a certificate authority to establish a merchant’s identity • Certificate authority (CA) is a trusted entity that issues and revokes public-key certificates and manages key-pairs © 2007 Prentice-Hall, Inc 12-50 Verifying a Digital Signature © 2007 Prentice-Hall, Inc 12-51 Four Classes of Digital Certificates • Class 1 certificates contain minimum checks on the user’s background • Class 2 certificates check for information like real name, Social Security number, and the date of birth • Class 3 certificates are the strongest type • Class 4 certificates are the most thorough © 2007 Prentice-Hall, Inc 12-52 Managing Cryptographic Keys • Key management is the process of making keys known to the systems that need them and making sure keys are protected against disclosure or substitution • Key Life Cycle – Key generation and registration – Key distribution – Key backup and recovery • Key escrow: location where keys held in trust by a third party reside • Notary service: company that provides encryption-oriented services including key escrow, key recovery, time stamping, trusted intermediary, and archiving – Key revocation and destruction © 2007 Prentice-Hall, Inc 12-53 Third-Party Services • Certificate authority verifies certificates intended for use by other distinct legal entities • Certificate policy is a set of rules that identifies how, when, and for what reasons certificates are used within the assigned organization • Directory service is a repository that distributes certificates as requested by message originators © 2007 Prentice-Hall, Inc 12-54 Internet Security Protocols • Two key protocols for secure World Wide Web transactions are: – Secure Socket Layer (SSL) is a portocol for secure Web transactions, secures data packets at the network layer – Secure HTTP (S-HTTP) is a protocol that secures Web transactions and nothing else • Secure Electronic Transaction (SET) is a protocol used for handling funds transfers from credit card issuers to a merchant’s bank account – A digital certificate customers can request from their issuing bank by filling out a form on the bank’s Web site – A digital wallet is an online shopping device that seals personal information in a free plug-in that can be invoked when making a purchase © 2007 Prentice-Hall, Inc 12-55 Secure E-mail • Pretty Good Privacy (PGP) is a protocol that encrypts the data with a one-time algorithm and then encrypts the key to the algorithm using public-key cryptography • S/MIME (Multipurpose Internet Mail Extension) is a powerful protocol that provides security for different data types and attachments to e-mails • Message Security Protocol (MSP) is a protocol that secures e-mail attachments across multiple platforms © 2007 Prentice-Hall, Inc 12-56 Implications for E-Commerce • Developing high-powered and reliable encryption methods is a top priority for many organizations • Most encryption systems have prevention as the sole means of defense • Merchants face a number of choices when considering encryption methods • A major concern is the cost associated with different encryption methods • Government regulations present considerable problems for businesses © 2007 Prentice-Hall, Inc 12-57 Chapter Summary • Encryption addresses message transmission security requirements • Encryption satisfies requirements for authentication, integrity, and nonrepudiation • There are two classes of key-based algorithms – Secret key – Public key • Cryptanalysis is the science of deciphering encrypted messages without knowing the right key © 2007 Prentice-Hall, Inc 12-58 Chapter Summary (Cont’d) • One way to implement public-key authentication is to send a digital signature with each message • A digital certificate is an electronic document issued by a certificate authority (CA) to establish a merchant’s identity by verifying its name and public key • Security measures installed to minimize vulnerability to the exchange of information includes – SSL – SHTTP – SET – S/MIME © 2007 Prentice-Hall, Inc 12-59
